1. Field of the Invention
The present invention generally relates to the field of telecommunications, and particularly to Mobile Ad-hoc NETworks (MANETs). Even more particularly, the invention relates to the implementation and enforcing of security policies in MANETs. Specifically, the invention concerns a method and a system adapted to detect and react to situations wherein the enforcement of security policies set forth for a MANET is missing or improper.
2. Description of the Related Art
The heterogeneous nature and the mobility characteristics of a MANET makes it particularly difficult to control the behavior of the nodes that make up the network.
Nowadays, the acceptance of one or more network security rules by a generic MANET node as a condition for allowing the node accessing and becoming part of the network does not prevent that node from violating said rules later, and thus escaping from the control upon it. A node that, after an authentication procedure, has been granted access to an ad-hoc network is potentially able to perform any action, such as stop properly routing traffic received from and directed to other MANET nodes, allowing access to services to which some node is not authorized, allowing access to other nodes by revealing the necessary security information, like the ciphering keys.
For these reasons, distributed security mechanisms need to be defined for MANETs, aiming at making it more difficult to corrupt the network nodes.
The problem of the enforcement of security policies in ad-hoc networks has already been addressed.
For example, in the thesis work “Adaptive distributed firewall using intrusion detection” of L. Strand of the Oslo University, reference is made to a distributed firewalling architecture in which a master (a management station) distributes the security policies to clients, which are the nodes making up the network; the clients apply the security policies and notify the master of the results of the security policies application.
The described architecture is not expressly conceived for MANETs, but the latter is one of the environments considered as a possible application. The interaction with a distributed intrusion detection system is also considered, which, in case of necessity, allows to command a reconfiguration of the firewall of a certain node.
In J. Grant et al. “Distributed firewall technology”, Signal 9 Solutions Inc., 2000, a distributed firewalling architecture is considered wherein a Distributed Firewall Server (DFS) distributes the security policies, valid for a certain network, to all the clients belonging thereto (possibly in a personalized way). Each client, in normal operation, creates locally log files of its operation (also related to possible malfunctioning of the firewall) and of the traffic passing through that node; the logged data are then sent to the DFS, that correlates them for detecting possible inconsistencies with respect to the security policies deployed. The DFS, if possible, may also attempt to sniff the traffic, to check the proper implementation of the security policies deployed.
A different approach is described in S. Rajavaram et al., “Neighboring watch: an intrusion detection and response protocol for mobile ad-hoc networks”, University of Maryland, October 2002, where an architecture for detecting intrusions and anomalous behavior of the nodes belonging to a MANET is discussed. The possibility is exploited that a client (controller) being in the neighbourhood of other nodes “listens”, over the wireless link, to the communications of said neighbouring nodes, so as to determine the presence of undesired or non-compliant traffic. The detection is made individually by every client, and the (possible) countermeasures may be applied locally, in a passive way, by exclusion of the malicious node from the announcements performed by the controller with the routing protocol, or in active way, notifying the violation to a master-cluster station that sets-up an election system involving all the MANET nodes for deciding together whether or not to exclude a certain client.